stackoom
  简体   繁体   中英

Content Security Policy (CSP) - only needed when there's user generated content visible for other users?

 原文  2022-03-24 18:06:34       javascript/ html/ security/ content-security-policy

Question

When reading about XSS and the Content Security Policy (CSP) everything sounds like it is important to watch out and take care if there is user generated content which is visible to other users, like through postings or comments. In case of a website where the user can't save self generated content - is it still important to set CSP up for other reasons / possible flaws?

1 answers

solution1
 0  2022-03-25 06:07:37

Firstly, it defends against situations where you did not think user content could get executed as part of your HTML.

Secondly, third-party JavaScript could cause unwanted page loads.

I'd put it in anyway. It does no harm to restrict loads from places you didn't want to load from anyway.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Catching Content Security Policy (CSP) errors how to add Content Security Policy (CSP) How to detect Content Security Policy (CSP) Header CSP (content-security-policy) not correct How does Content Security Policy (CSP) work? Content Security Policy - Issue to only one user Relaxing Chrome's CSP while running tests (webdriver) (Content-Security-policy) What might reasons be of having a Content Security Policy error when a CSP is not even specified? “Content Security Policy of your site blocks the use of 'eval' in JavaScript” warning when setting CSP meta tag in Electron Modernizr Causes Content Security Policy (CSP) Violation Errors
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM